Computer Lab Network Lockdown Tool
The Computer Lab Network Lockdown Tool is available at https://istns.uwaterloo.ca/ona/lockdown.php
This tool provides a way for computer lab administrators to lock down network access during exams, via
a web based interface. The tool can be made available to specific userids, and/or specific IP names (e.g. a podium machine
used by multiple instructors)
The tool requires pre-configuration for the given lab, and the degree of network lockdown (e.g. deny all traffic in/out
of lab, or deny traffic in/out of UW). Once configured, lab administrators need only choose between "Lockdown"
and "Open", and the pre-configured access control lists are applied, or removed, respectively.
Network staff create an ACL on the switch, with the desired rules. The ACL can either be applied on an
upstream router, or on a switch uplink, or even on all edge ports (for devices that support that).
ip access-list extended "DENY_EXT"
20 remark "Allow on campus access"
22 permit ip 18.104.22.168 0.0.0.3 22.214.171.124 0.0.255.255
24 permit ip 126.96.36.199 0.0.0.7 188.8.131.52 0.0.255.255
26 permit ip 184.108.40.206 0.0.0.7 220.127.116.11 0.0.255.255
30 remark "Deny off campus access"
32 deny ip 18.104.22.168 0.0.0.3 0.0.0.0 255.255.255.255
34 deny ip 22.214.171.124 0.0.0.7 0.0.0.0 255.255.255.255
36 deny ip 126.96.36.199 0.0.0.7 0.0.0.0 255.255.255.255
40 remark "Allow the rest"
42 permit ip 188.8.131.52 0.0.0.255 0.0.0.0 255.255.255.255
The configuration tool at https://istns.uwaterloo.ca/ona/edit_table.php?table=lockdowns
is then used to
edit the lockdowns
table and give a name and description to the lab lockdown entry, and supply details
about the switch and interface the ACL is applied on.
Users of the lab lockdown web interface do not need to be added to the ona admins table, but they, or the fully qualified domain name of
the desired podium computer, need to be authorized through use of Administrator Group Memberships
table in ona.
When a lab administrator uses the tool, it applies the ACL to the pre-configured interface.
If needed, multiple ACLs can be applied to multiple vlans, interfaces, and switches, for a given lab lockdown. This is
done by adding multiple entries to the ona lockdowns
table, all with the same name. However,
it is recommended to keep things as simple as possible.